about *exe files verification by CFP

I just tried something: I chose an executable, CCleaner.exe, could have chosen any other one. CCleaner.exe is in the CFP safe list. I deactivated Def+. Launched ResHack, and modified the exe structure, by deleting a couple of strings. I then reactivated Def+ in paranoid mode. Launched CCleaner.The file was not that damaged and could be launched, and guess what: NO ALERT. I just found the modified exe in the pending file list, made an online lookup and of course the file was not found safe anymore. But no alert came to give me an opportunity to block it. The file was just there in the pending file list, waiting for what??? For me to review it once it could have launched a malicious process???. I don’t even know why it was in the pending file list: is it because it was considered as new on the hard disk, or because it didn’t match the old one that was in the safe list? or both?

Of course if instead of ResHack, a trojan was trying to modify the file I’d get an alert. But imagine the scenario when someone gets physical access to my computer, deactivates Def+ plus,replaces or modifies a file, then reactivates Def+. I wouldn’t detect anything when launching the executable again. There is just no verification done against the old file, just against the safe list, and sending automatically a new file to the pending file list doesn’t protect from anything, no alert is popped up because CFP detects no potential threat.

I really think it would be time to rely on a bit more than a safe list, or a date of arrival on the hard disk, and automatically run some checksum verification when an executable is launched. This is supposed to be implemented, but how, and is it really implemented…

This has already been discussed. See my example here. So far, development has not made any comments regarding this problem. You made a post in that thread too.

Al

I know, and I already read your post before. I made this new topic hoping someone from the dev team of Comodo will finally bring some comment on this subject.

But there was this post that I missed:
https://forums.comodo.com/help_for_v3/does_cpf_30_do_md5sha-t17679.0.html;msg120819#msg120819

I wonder why they put “Image execution Control Setting” in CFP, explaining in the help files that it would do a checksum against the safe list and pop up an alert if anything goes wrong, which obviously never happens. What’s the point of integrating something in the GUI that doesn’t work at all, doesn’t even run I think.

That’s unfortunately exactly what Melih said a couple of times in this forum: prevention instead of detection. Couldn’t we have both? A lack of detection in some situations could lead to disasters. As I said CFP would detect a trojan attempting to modify a file, but if it doesn’t (example of someone with direct access modifying a file with Def+ deactivated), and the file is modified, as no checksum verification is done at next launch of the exe, no threat is detected, and no alert. Cooll! :THNK

I don’t blame you. I asked a direct question to development there and have not heard anything yet. I guess the jury is still out :). I must say it is very time consuming to follow so many different threads and important topics tend to get buried within a matter of days. If one does not continuously keep up with the forums, it is very easy to miss things here and there. Forums are not ideal for reporting bugs.

Al

no problem Adric. I didn’t think you did. I just would like a developer to tell me why they removed checksum verification as it was present on CFP 2.4. as it is present in Spyware Terminator, and why the interface tells it’s implemented (only against the safe list) when it’s not implemented at all. And again, in the case of a modifying attempt that would go undetected, there would be no modification detection when it’s done, before execution of the process.